U2F support in OpenSSH HEAD

Damien Miller djm at mindrot.org
Sun Nov 3 21:54:28 AEDT 2019

On Sat, 2 Nov 2019, Jordan J wrote:

> I've had a patch on the bugzilla for a while related to U2F with
> support for a few additional settings such as providing a path to a
> specific key to use instead of the first one found

This would need to be implemented in the middleware library, either
the one in libfido/tools/sk-libfido2.c or another.

> and setting if user
> presence is required when using the key. Is there any objection to
> folding those parts in if appropriate?

That's possible already: at keygen time, the default is to require
user presence for signatures but you can overide this by passing the
"-x 0" flag. This is currently undocumented, and I'll hopefully soon
get around to documenting it and making it accept mnemonic string
instead of raw U2F flags.

At authentication time, I've got a patch almost ready to require
user presence that I hope to commit next week.


More information about the openssh-unix-dev mailing list